Using Expressions in Structured Searches and Rules
An expression can contain a single event attribute, multiple attributes, or functions that contain an event attribute as their argument. You can also use parentheses and arithmetic operators to form complex expressions.
You can enter an expression manually, paste it in, or build it dynamically using the Expression Builder. If you use the Expression Builder, you will have to enter parentheses or arithmetic operators in the expression.
The Expression Builder
Creating Expressions
Adding a Function
Filter Condition Functions
Aggregation Condition Functions
The Expression Builder
You can access the Expression Builder by clicking the e icon next to the Attribute or Value field when creating a structured search or rule.
This screenshot shows the Expression Builder open for creating a rule.
Creating Expressions
Adding a Function
To add a function to the expression, select it from the Add Function menu, and then click the + icon. The available functions depend on whether you are are creating an expression to use as part of a filter condition for a search or rule, or as part of the aggregation conditions for a rule.
Selecting Function-Specific Attributes
When you select any type of function, the function and a set of parentheses will be added to the expression. If you place your cursor within the parentheses and then open the Event Attribute menu, you will see event attributes that are relevant for that function. For example, if you select COUNT as the function, (MATCHED ITEMS) will automatically appear between the parentheses, and will be selected in the Event Attribute menu. If you select a function like AVG for an aggregation condition, you will see options such as CPU UTIL and Apache Uptime. If you select a function like HourOfDay for a filter condition, you will see options like Access Time and Vul nerable Since. You can search through the options in either situation by beginning to type a keyword in the Event Attribute menu. Sele cting Attributes for Structured Searches, Display Fields, and Rules has more information about ways to search for and select event attributes.
Filter Condition Functions
If you select HourOfDay or DayOfWeek for the function, the Event Attributes menu will contain date and time-related event attributes, while if you select DeviceToCMDBAttr, it will contain device-related attributes.
Function | Description |
HourOfDay | Specify an hour of the day in the condition |
DayOfWeek | Specify a day of the week in the condition |
DeviceToCMDBAttr | If you add the DeviceToCMDBAttr() function to the expression, the first argument must be an event attribute, and the
second argument must be a CMDB attribute, which you can select using the CMDB Attribute menu. The DeviceToCMDBAttr function is used to create expressions for per-device thresholds. |
This screenshot shows the beginning of creating an expression to use as the Attribute in a condition for an historical search. HourOfDay is selected as the Function, and Access Time is selected as the Event Attribute.
Aggregation Condition Functions
You use these functions to perform operations on numerical event attributes such as Sent Bytes, Received Bytes, CPU Utilization, or Memory Utilization.
Function | Description |
Count | Count the number of items returned |
Count Distinct | Count the number of distinct items returned |
Sum | Add the numbers |
Average | Average the numbers |
Min | The lowest number |
Max | The highest number |
Last | The last number |
First | The first number |
Pctile95 | The 95th percentile |
PctChange | Percentage change |
STAT_AVG | Statistical average. This function is used in conjunction with creating baseline reports. |
STAT_STDDEV | Statistical standard deviation. This function is used in conjunction with creating baseline reports . |
This screenshot shows the beginning of creating an expression to use as an aggregation condition in rule. Max is selected as the Function, and CPU Util is selected as the Event Attribute.